× Register Login What's New! Contact us
Security Improvements For This Website
data-ad-format="auto">
Results 1 to 8 of 8
  1. #1
    00001001's Avatar
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Reputation
    135
    Rep Power
    12
    Likes (Given)
    44
    Likes (Received)
    33

    Security Improvements For This Website

    Report bad ads?

    Selam Aleykum,

    I wanted to tell this with kind words. But sorry, I can't...

    The security of this website is a joke. No TLS a.k.a HTTPS? Meaning everybody could possible read your password when you log in (oops, your bank account with the same username and password just got hacked). I wouldn't be surprised if you didn't even hash the passwords before storing them.

    Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.

  2. Report bad ads?
  3. #2
    kritikvernunft's Avatar
    Join Date
    Jun 2016
    Gender
    Male
    Religion
    Other
    Posts
    590
    Threads
    35
    Reputation
    1050
    Rep Power
    15
    Likes (Given)
    14
    Likes (Received)
    179

    Re: Security Improvements For This Website

    Quote Originally Posted by 00001001 View Post
    No TLS a.k.a HTTPS?
    TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    Quote Originally Posted by 00001001 View Post
    Anyway, for the love of god. Google for "Let's Encrypt", you can get an SSL certificate for free, as it is an non-profit. It would probably take you like 10 minutes to get the certificates and an additional 10 for changing the settings for your servers.
    Using TLS/SSL will actually give a false sense of security. Security theatre is not without danger. Some people may really start believing in the effectiveness of what are otherwise just cargo-cult TLS rituals.

    It is perfectly ok to start running the site in TLS/SSL but without ever making the false claim that it would then be safer.

    It is quite possible to build relatively secure forum applications, but they will have to implement their own cryptographical primitives. For example, bitsquare.io has a famously secure architecture.

    Another alternative is to do like facebook and allow access the site from the tor network. It is also perfectly possible to run the site simultaneously on the clearnet and on the darknet (like facebook does). Tor traffic to a darknet site is encrypted automatically over TLS/SSL, without the certificate-authority cesspool that makes https so vulnerable to interception.

  4. #3
    AabiruSabeel's Avatar
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    8,549
    Threads
    335
    Reputation
    118337
    Rep Power
    144
    Likes (Given)
    1195
    Likes (Received)
    3737

    Re: Security Improvements For This Website



    for the suggestion, we plan to implement it soon .

    Quote Originally Posted by 00001001 View Post
    I wouldn't be surprised if you didn't even hash the passwords before storing them.
    Be assured that passwords are hashed and not stored anywhere in plaintext.
    Security Improvements For This Website

    عن عبد الله بن مسعود رضي الله عنه : ـ
    مَن كانَ مُسْتَنًّا ، فَلْيَسْتَنَّ بمن قد ماتَ ، فإنَّ الحيَّ لا تُؤمَنُ عليه الفِتْنَةُ ، أولئك أصحابُ محمد - صلى الله عليه وسلم - ، كانوا أفضلَ هذه الأمة : أبرَّها قلوبًا ، وأعمقَها علمًا ، وأقلَّها تكلُّفًا ، اختارهم الله لصحبة نبيِّه ، ولإقامة دِينه ، فاعرِفوا لهم فضلَهم ، واتبعُوهم على أثرهم ، وتمسَّكوا بما استَطَعْتُم من أخلاقِهم وسيَرِهم ، فإنهم كانوا على الهُدَى المستقيم
    رواه ابن عبد البر في "جامع بيان العلم وفضله" (2/947ـ رقم 1810) ـ
    ‘Abdullah ibn Mas‘ood said: “Whoever wants to follow a path, let him follow the path of one who has died, for the living are not safe from fitnah. I mean the Companions of Muhammad . They were the best of this ummah: the purest in heart, the deepest in knowledge and the most straightforward. Allah chose them to accompany His Prophet and establish His religion, so recognise their status and follow in their footsteps and adhere as much as you can to their example of conduct and attitude, for they followed true guidance.” [Ibn ‘Abd al-Barr in Jaami‘ Bayaan al-‘Ilm wa Fadluhu, 2/947, no. 1810]

  5. #4
    00001001's Avatar
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Reputation
    135
    Rep Power
    12
    Likes (Given)
    44
    Likes (Received)
    33

    Re: Security Improvements For This Website

    Quote Originally Posted by kritikvernunft View Post
    TLS/SSL will not make much of a difference. The very same parties who can intercept http, can also intercept https.95% of HTTPS servers vulnerable to trivial MITM attacks. If you fancy to intercept other people's TLS traffic over wifi, then install sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    What are you talking about? The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.

    Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.

  6. Report bad ads?
  7. #5
    00001001's Avatar
    Join Date
    Nov 2016
    Location
    Amsterdam
    Gender
    Male
    Religion
    Islam
    Posts
    92
    Threads
    10
    Reputation
    135
    Rep Power
    12
    Likes (Given)
    44
    Likes (Received)
    33

    Re: Security Improvements For This Website

    Quote Originally Posted by kritikvernunft View Post
    sslsplit or mitmproxy. It is trivial to intercept mobile network traffic. There are cheap devices available to do that.
    Also, thanks for these tools!

  8. #6
    kritikvernunft's Avatar
    Join Date
    Jun 2016
    Gender
    Male
    Religion
    Other
    Posts
    590
    Threads
    35
    Reputation
    1050
    Rep Power
    15
    Likes (Given)
    14
    Likes (Received)
    179

    Re: Security Improvements For This Website

    Quote Originally Posted by 00001001 View Post
    The article you noted clearly states that 95% haven't enabled HTTP Strict Transport Security (HSTS). The moment you turn the feature on, a midm attack becomes almost impossible.
    Apparently, the new "STS preloaded list" could work conceivably in a similar way as the way in which SSH looks up the server's key in the known_hosts file, but it only does that for the 100 most popular sites, or so. Hence, Certificate and Public Key Pinning would not work for this site or for most other sites either. It would solve the problem for most of the traffic, but not for most of the sites. With the following problem having run out of control a long time ago:
    Certificate pinning allows to bypass standard certificate authority chains to mitigate the risk of an valid certificate be issued to a criminal.
    TLS/SSL certificate authority cesspool is considered a bad joke. Just security theatre.
    Quote Originally Posted by 00001001 View Post
    Also, I am not talking about state actors or skilled hackers. It's more about people accessing islamicboard on a public wifi, be it on university or somewhere else.
    Well, SSH is quite resilient against actors or skilled hackers. The SSL/TLS certificate authority cesspool is not.

  9. #7
    AabiruSabeel's Avatar
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    8,549
    Threads
    335
    Reputation
    118337
    Rep Power
    144
    Likes (Given)
    1195
    Likes (Received)
    3737

    Re: Security Improvements For This Website

    We have enabled HTTPS now.

    2 | Likes noraina, 00001001 liked this post
    Security Improvements For This Website

    عن عبد الله بن مسعود رضي الله عنه : ـ
    مَن كانَ مُسْتَنًّا ، فَلْيَسْتَنَّ بمن قد ماتَ ، فإنَّ الحيَّ لا تُؤمَنُ عليه الفِتْنَةُ ، أولئك أصحابُ محمد - صلى الله عليه وسلم - ، كانوا أفضلَ هذه الأمة : أبرَّها قلوبًا ، وأعمقَها علمًا ، وأقلَّها تكلُّفًا ، اختارهم الله لصحبة نبيِّه ، ولإقامة دِينه ، فاعرِفوا لهم فضلَهم ، واتبعُوهم على أثرهم ، وتمسَّكوا بما استَطَعْتُم من أخلاقِهم وسيَرِهم ، فإنهم كانوا على الهُدَى المستقيم
    رواه ابن عبد البر في "جامع بيان العلم وفضله" (2/947ـ رقم 1810) ـ
    ‘Abdullah ibn Mas‘ood said: “Whoever wants to follow a path, let him follow the path of one who has died, for the living are not safe from fitnah. I mean the Companions of Muhammad . They were the best of this ummah: the purest in heart, the deepest in knowledge and the most straightforward. Allah chose them to accompany His Prophet and establish His religion, so recognise their status and follow in their footsteps and adhere as much as you can to their example of conduct and attitude, for they followed true guidance.” [Ibn ‘Abd al-Barr in Jaami‘ Bayaan al-‘Ilm wa Fadluhu, 2/947, no. 1810]

  10. #8
    AabiruSabeel's Avatar
    Join Date
    Mar 2006
    Gender
    Male
    Religion
    Islam
    Posts
    8,549
    Threads
    335
    Reputation
    118337
    Rep Power
    144
    Likes (Given)
    1195
    Likes (Received)
    3737

    Re: Security Improvements For This Website



    We have noticed that some of the images used by members in their signatures are not linked from secure hosts. we will be automatically converting all such links to https and if the host does not support it, the image will not be displayed properly. Please make sure that any image that you link from an external source uses https protocol.

  11. Hide
Hey there! Security Improvements For This Website Looks like you're enjoying the discussion, but you're not signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. And you can like posts and share your thoughts. Security Improvements For This Website
Sign Up

Similar Threads

  1. Too much security on this forum
    By Believer51 in forum Feedback & Suggestions
    Replies: 10
    Last Post: 12-31-2010, 11:05 AM
  2. Security Loophole - Please See!
    By imam bukhari in forum Halal Fun
    Replies: 11
    Last Post: 07-03-2010, 11:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
create